Note: This is an archival copy of Security Sun Alert 273169 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com
as Sun Alert 1021660.1.

A security vulnerability in the BIND DNS software shipped with Solaris:

1. Impact

A security vulnerability in the BIND DNS software shipped with Solaris
may allow a remote user who is able to perform recursive queries to
cause a server that is configured to support DNSSEC validation and
recursive client queries to return incorrect addresses for Internet
hosts, thereby redirecting end users to unintended hosts or services.

Note 1: BIND shipped with Solaris 8 does not support DNSSEC and is
therefore not impacted by this issue.

Note 2: Only systems with the BIND named(1M) service enabled are
impacted by this issue. To verify if BIND is running on a system, the
following command can be used:

$ pgrep named && echo "BIND is running"

Note 3: OpenSolaris distributions may include additional bug fixes
above and beyond the build from which it was derived. To determine the
base build of OpenSolaris, the following command can be used:

$ uname -v snv_86

3. Symptoms

There are no predictable symptoms that would indicate the described
issue has occurred.

4. Workaround

As recursive queries are required to exploit this issue, it is possible
to reduce the likelihood of exploitation by using the "allow-recursion"
option in the "/etc/named.conf" file to restrict the list of hosts that
can perform these queries.

In addition, this issue can be prevented by disabling DNSSEC
functionality. This can be done by setting "dnssec-enable" to "no" in
"/etc/named.conf". Note this may affect the security of DNS
transactions as the facilities provided by DNSSEC will no longer be
available.

For Solaris 10 and OpenSolaris, once the configuration file has been
altered, the DNS service must be restarted by running the svcadm(1)
command as follows: